Home page logo
/

basics logo Security Basics mailing list archives

Re: What does this mean?
From: Dedric Ramsey - Ramsey Consulting Svcs <ramseycs () bellsouth net>
Date: Mon, 26 Apr 2004 14:21:14 -0400


Adnan Ali wrote:


Active Connections:
Proto Local Addr Foreign Addr State ============================================

TCP    0.0.0.0:135   0.0.0.0:0        LISTENING

This is used for NetBIOS


TCP    0.0.0.0:445   0.0.0.0:0        LISTENING

So is this port.

TCP    0.0.0.0:1026  0.0.0.0:0        LISTENING

TCP    0.0.0.0:1027  0.0.0.0:0        LISTENING

These two seem normal as well, the same with ports 135,445,1025/UDP shown below.

UDP 0.0.0.0:135 *:* UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1025 *:* UDP 0.0.0.0:38037 *:*

As for this port, Google led me to this site (http://www.ncsu.edu/it/antivirus/install/FireWall-Ports.html), which says:

Msgsys
Msgsys is an Alert Management System (AMS) process for generating and sending configured AMS alerts. Msgsys communications uses port 38037 and 38292 for both TCP and UDP communication.

Are you running any Symantec Products, specifically one of their AV lines, or Firewalls?

UDP 172.20.4.76:500 *:*

This is used for ISAKMP (Internet Security Association and Key Management Protocol), so there shouldnt be anything to worry about there either. Its just there since Windows 2000 supports IPSec.

I get this output even when I am running no network application on the machine.

Of course, this all seems quite suspicious.
Can somebody please help me figure out what is going
on? At least find the respective applications
listening
on various ports.??

Thanks and best regards,

So to me, with just the information you've provided, nothing is out of the ordinary. Of course, if it makes you feel better, point Nmap or something similar at it and see what you find. Same with your AV scanner of choice. (Trend Micro has a nice web based one on their site, as does Panda, although Ive never used theirs)

Take care,

--
Dedric Ramsey
Ramsey Consulting Services
770.826.8008


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]